CVE-2026-39326 Overview
CVE-2026-39326 is a SQL injection vulnerability in ChurchCRM, an open-source church management system. Prior to version 7.1.0, the /PropertyTypeEditor.php endpoint is susceptible to SQL injection attacks. Authenticated users with the isMenuOptionsEnabled role can inject arbitrary SQL statements through the Name and Description parameters, allowing them to extract and modify information from the database.
Critical Impact
Authenticated attackers can exploit this SQL injection vulnerability to extract sensitive church member data, modify database records, and potentially compromise the entire ChurchCRM installation.
Affected Products
- ChurchCRM versions prior to 7.1.0
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39326 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39326
Vulnerability Analysis
This SQL injection vulnerability (CWE-89) exists in the /PropertyTypeEditor.php endpoint within ChurchCRM. The vulnerability allows authenticated users who have been assigned the isMenuOptionsEnabled role to inject malicious SQL code through user-controllable input fields. The Name and Description parameters are not properly sanitized before being incorporated into SQL queries, creating an injection point that can be exploited to manipulate database operations.
The attack requires network access and low-privilege authentication, making it accessible to any user with the appropriate role assignment. Once exploited, an attacker can achieve full compromise of data confidentiality and integrity within the ChurchCRM database.
Root Cause
The root cause of this vulnerability is insufficient input validation and improper sanitization of user-supplied data in the PropertyTypeEditor.php file. The Name and Description parameters are directly incorporated into SQL queries without proper parameterization or escaping, violating secure coding practices for database interactions.
Attack Vector
The attack is network-based and requires an authenticated session with a user account that has the isMenuOptionsEnabled permission. An attacker would craft malicious SQL payloads within the Name or Description fields when interacting with the Property Type Editor functionality. These payloads can be designed to:
- Extract sensitive data from the database using UNION-based or error-based injection techniques
- Modify existing database records to alter church member information
- Enumerate database schema and table structures
- Potentially escalate privileges within the application
The vulnerability mechanism involves unsanitized user input being concatenated directly into SQL query strings. When the application processes requests to the /PropertyTypeEditor.php endpoint, the Name and Description field values are incorporated into database queries without proper parameterized statements. For detailed technical analysis, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39326
Indicators of Compromise
- Unusual database query patterns or errors in application logs related to PropertyTypeEditor.php
- Unexpected data modifications in property type records
- Authentication logs showing suspicious activity from accounts with isMenuOptionsEnabled role
- Web server access logs containing SQL syntax in request parameters to /PropertyTypeEditor.php
Detection Strategies
- Implement web application firewall (WAF) rules to detect SQL injection patterns in requests to /PropertyTypeEditor.php
- Monitor database query logs for anomalous statements originating from the ChurchCRM application
- Deploy intrusion detection systems (IDS) with signatures for common SQL injection payloads
- Audit user accounts with isMenuOptionsEnabled role for unauthorized access or suspicious activity
Monitoring Recommendations
- Enable detailed logging for the ChurchCRM application, particularly for database operations
- Configure alerts for failed or unusual database queries
- Monitor for bulk data extraction attempts or unusually large query result sets
- Implement regular security audits of user role assignments within ChurchCRM
How to Mitigate CVE-2026-39326
Immediate Actions Required
- Upgrade ChurchCRM to version 7.1.0 or later immediately
- Review and restrict user accounts with the isMenuOptionsEnabled role to trusted administrators only
- Audit database logs for any signs of prior exploitation
- Implement network segmentation to limit access to the ChurchCRM installation
Patch Information
This vulnerability is fixed in ChurchCRM version 7.1.0. Organizations should upgrade to this version or later to remediate the vulnerability. The fix implements proper input sanitization and parameterized queries for the affected endpoint. For additional details, see the GitHub Security Advisory.
Workarounds
- Temporarily disable or restrict access to the Property Type Editor functionality until patching is complete
- Implement a web application firewall (WAF) with rules to block SQL injection attempts targeting the vulnerable endpoint
- Revoke isMenuOptionsEnabled permissions from non-essential user accounts
- Place the ChurchCRM application behind an authentication proxy to add an additional access control layer
# Example: Restrict access to PropertyTypeEditor.php via Apache .htaccess
# Add to your ChurchCRM .htaccess file
<Files "PropertyTypeEditor.php">
Require ip 192.168.1.0/24
# Or deny all access temporarily
# Require all denied
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
